What Are the Security Group Authorization Rules for Cloud Phones Using Custom Networks?

If you set Network to Custom when you create a cloud phone server, CPH will create the cph_admin_trust agency that has the VPC FullAccess permissions for you.

Before authorizing CPH to create an agency, ensure that your login user has the Security Administrator permissions or the fine-grained iam:agencies:createAgency permissions. For more information, see Permissions Management.

CPH will use the agency to perform the following operations:

• Create elastic NICs, and assign EIPs and virtual IP addresses for cloud phones.
• Create the system-cph-sg security group for the cloud phone server, and set the port or port range based on Figure 1 and Figure 2.

Figure 1 Inbound rule

• Port 22 is used by the Internet to connect to the cloud phone using ADB and through the SSH encryption tunnel.
• Ports 10000 to 19000 are mapped to the available application ports of each cloud phone. You can view the available application ports on each cloud phone in the cloud phone details.
• The CPH deny rule for tenant vpc rule is used to restrict the cloud phones virtualized the servers in the same VPC so that the phones cannot access each other through ports 1 to 9999.

Figure 2 Outbound rule

By default, if an ECS and a cloud phone are in the same VPC, the ECS cannot access the cloud phone through ports 1 to 9999. If you want to allow such access, add a security group rule with a higher priority. For example, if the IP address of an ECS is 192.168.0.164 and you want to access a cloud phone through port 4555, add the following inbound rule:

• Priority: Set it to 1.
• Action: Select Allow.
• Protocol & Port: Set the port to 4555.
• Source: Enter 192.168.0.164.

Figure 3 Adding a security group rule of a higher priority